LibWeb: Do not store network errors as a StringView
Some checks are pending
CI / Lagom (arm64, Sanitizer_CI, false, macos-15, macOS, Clang) (push) Waiting to run
CI / Lagom (x86_64, Fuzzers_CI, false, ubuntu-24.04, Linux, Clang) (push) Waiting to run
CI / Lagom (x86_64, Sanitizer_CI, false, ubuntu-24.04, Linux, GNU) (push) Waiting to run
CI / Lagom (x86_64, Sanitizer_CI, true, ubuntu-24.04, Linux, Clang) (push) Waiting to run
Package the js repl as a binary artifact / build-and-package (arm64, macos-15, macOS, macOS-universal2) (push) Waiting to run
Package the js repl as a binary artifact / build-and-package (x86_64, ubuntu-24.04, Linux, Linux-x86_64) (push) Waiting to run
Run test262 and test-wasm / run_and_update_results (push) Waiting to run
Lint Code / lint (push) Waiting to run
Label PRs with merge conflicts / auto-labeler (push) Waiting to run
Push notes / build (push) Waiting to run

This is very clearly a very dangerous API to have, and was causing
a crash on Linux as a result of a stack use-after-free when visiting
https://www.index.hr/.

Fixes #3901
This commit is contained in:
Shannon Booth 2025-04-02 20:51:45 +13:00 committed by Andreas Kling
commit a5df972055
Notes: github-actions[bot] 2025-04-02 12:54:16 +00:00
10 changed files with 44 additions and 50 deletions

View file

@ -63,7 +63,7 @@ WebIDL::ExceptionOr<GC::Ref<XMLHttpRequest>> XMLHttpRequest::construct_impl(JS::
{
auto upload_object = realm.create<XMLHttpRequestUpload>(realm);
auto author_request_headers = Fetch::Infrastructure::HeaderList::create(realm.vm());
auto response = Fetch::Infrastructure::Response::network_error(realm.vm(), "Not sent yet"sv);
auto response = Fetch::Infrastructure::Response::network_error(realm.vm(), "Not sent yet"_string);
auto fetch_controller = Fetch::Infrastructure::FetchController::create(realm.vm());
return realm.create<XMLHttpRequest>(realm, *upload_object, *author_request_headers, *response, *fetch_controller);
}
@ -529,7 +529,7 @@ WebIDL::ExceptionOr<void> XMLHttpRequest::open(String const& method_string, Stri
// Empty thiss author request headers.
m_author_request_headers->clear();
// Set thiss response to a network error.
m_response = Fetch::Infrastructure::Response::network_error(realm().vm(), "Not yet sent"sv);
m_response = Fetch::Infrastructure::Response::network_error(realm().vm(), "Not yet sent"_string);
// Set thiss received bytes to the empty byte sequence.
m_received_bytes = {};
// Set thiss response object to null.
@ -845,7 +845,7 @@ WebIDL::ExceptionOr<void> XMLHttpRequest::send(Optional<DocumentOrXMLHttpRequest
auto process_body_error = GC::create_function(heap(), [this](JS::Value) {
auto& vm = this->vm();
// 1. Set thiss response to a network error.
m_response = Fetch::Infrastructure::Response::network_error(vm, "A network error occurred processing body."sv);
m_response = Fetch::Infrastructure::Response::network_error(vm, "A network error occurred processing body."_string);
// 2. Run handle errors for this.
// NOTE: This cannot throw, as `handle_errors` only throws in a synchronous context.
// FIXME: However, we can receive allocation failures, but we can't propagate them anywhere currently.
@ -1140,7 +1140,7 @@ void XMLHttpRequest::abort()
// Spec Note: No readystatechange event is dispatched.
if (m_state == State::Done) {
m_state = State::Unsent;
m_response = Fetch::Infrastructure::Response::network_error(vm(), "Not yet sent"sv);
m_response = Fetch::Infrastructure::Response::network_error(vm(), "Not yet sent"_string);
}
}
@ -1245,7 +1245,7 @@ JS::ThrowCompletionOr<void> XMLHttpRequest::request_error_steps(FlyString const&
m_send = false;
// 3. Set xhrs response to a network error.
m_response = Fetch::Infrastructure::Response::network_error(realm().vm(), "Failed to load"sv);
m_response = Fetch::Infrastructure::Response::network_error(realm().vm(), "Failed to load"_string);
// 4. If xhrs synchronous flag is set, then throw exception.
if (m_synchronous) {